-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
adding an event on interpreted procs outbound network activity
#188
Conversation
interpreted procs outbound network activity
interpreted procs outbound network activity
Before proceeding with this PR, I would like to discuss these two points :
|
interpreted procs outbound network activity
interpreted procs outbound network activity
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
quick look, just left preliminary comments.
PS
I like the helper 👍
events/helper/outbound_connection.go
Outdated
if _, err := conn.Write([]byte("Sent by event-generator")); err != nil { | ||
return err | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
re:
Sending written data is not required to trigger this rule; the important thing is a successful connection. I included this part (sending written data) in action, to establish a connection only. If you prefer, we can remove this part.
I've no strong opinion. I'd avoid bothering 3rd-party service, if possible.
@FedeDP wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree, since the rule triggers without the data being actually written, we should just skip this part.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hey @h4l0gen
have you tried the latest implementation? does it still trigger the rule? 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
which part of this macro condition is meeting?
- macro: outbound
condition: >
(((evt.type = connect and evt.dir=<) or
(evt.type in (sendto,sendmsg) and evt.dir=< and
fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and
(fd.typechar = 4 or fd.typechar = 6) and
(fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and
(evt.rawres >= 0 or evt.res = EINPROGRESS))
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hii @leogr. Yes rule triggered successfully after changes too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is how macro condition got satisfied:
- As we used
net.Dial
method, which performs outbound connection hence(evt.type = connect and evt.dir=<)
is satisfied. - UDP connectuon is used.
- Using
example.net
not RFC 1918 addresses (private IP range)
Signed-off-by: h4l0gen <[email protected]> git squashed Signed-off-by: h4l0gen <[email protected]>
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: h4l0gen, leogr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
LGTM label has been added. Git tree hash: b75de9ef16e6312348f0bff9b3d60ffb1b31ba91
|
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area events
What this PR does / why we need it:
this triggers rule
interpreted procs outbound network activity
Which issue(s) this PR fixes:
Fixes #152
Special notes for your reviewer: